SANS Digital Forensics and Incident Response Blog

Recently, I spoke to students in a computer forensics class who will be graduating in the spring of 2013 about getting a job in computer forensics after school. We covered interview tips as well as performed mock forensic job interviews when I realized there are some pointers that I could share about the process from a hiring manager's perspective to help candidates better prepare for seeking that first position in computer forensics. While many aspects of getting that first job are common in any field, serious computer forensics professionals do have a mindset, attitude and passion that requires a certain approach when a candidate is looking for their first job in the field.

Resume/C.V.:

Generally a resume is skimmed and reviewed in about 20-30 seconds which means you need to make sure it is laid out in a way that gets you on the short stack of potential candidates. You want to consider ordering sections by your objectives, education, skills/tools/languages, experience, certifications, awards and professional organizations. Keep it simple, be concise (do not cram in too much information and keep it to 1 or 2 pages). Be sure to use keywords that will hook the reader. Remember your goal is to have that resume get you a phone or, better yet, live interview. Make the form follow the function. Also, be prepared to have several versions of your resume tailored to the position or positions you are seeking (IR, e-discovery, consulting). Your resume is a living document and one size doesn't fit all.

Know Your Audience:

You will rarely talk to only one person when seeking a position. Most of the time you will be dealing with someone in human resources, a hiring manager, department heads as well as other people you could potentially work with and each person has a different skillset, objective and need.

Do your research before your interview. Put on your investigator's cap and learn about the company you are interviewing with. It is also good to know if the person you are speaking with at that moment will have the technical background to appreciate a decompiler you wrote at 13 or if they are more concerned about your education history. Sites such as LinkedIn and the company's web site can provide a wealth of information about the people and organizational structure you could be dealing with. If available, read the financial statements to get a sense of the firm's financial strength.

It would also benefit you to try to ascertain how long their computer forensic department or service line has been around or why it was formed. Is the department new? Is it by acquisition of another company? Was the group a result of a new law or regulation? Many of these questions can be answered by taking the time to profile the firm to see if it is a fit for you before you apply.

First Impressions:

When you make that first contact with someone on the other end of the phone or in person, they will instantly be evaluating you consciously and sub-consciously. We are in a very technical field filled with computer science, math, acronyms and many of us feel more comfortable behind a monitor instead of in face-to-face situations. Step back and consider how you will be perceived and even try to think of this as a social engineering experiment of how you can gain further access into the system by your personal presentation and communication skills.

Beg, borrow or steal (ok, don't steal) and get a suit, clean pressed shirt and tie when you go to meet people. Being well dressed for an interview shows respect and consideration for the person interviewing you. This may be a position with a relaxed dress policy, but leave the Defcon 14 shirt at home and dress for success the first time in the door.

Speak clearly, slowly and make eye contact with the interviewer to give the person a sense of your self-assurance. When talking on the phone, you also need to project a sense of knowledge and confidence in your ability to perform the job. Again, this can be hard for many technically inclined people, but go with the mindset that this is a natural conversation about yourself and don't simply reiterate what's on your resume with lots of technical language.

Certifications:

Certifications can be a good, bad or ugly depending on your skills, experience and the position you are applying for. In many entry-level positions there will be some basic requirement for either a tool specific or tool agnostic certification. Take the time to get to know the various certifications and what they mean because some may be more applicable to your long-term career path than others. Conversely, you may be applying at a firm where a certain tool specific certification is not important because they use a different tool than what you are certified in.

Another thing to consider is too many certifications in too short of a time frame. This can give the impression that you simply got certified to be certified and may not possess the actual skills the certification represents. Also, many certifications require re-certification or continuing education that might not be in the budget at the company where you are applying. Remember, certifications should serve as a compliment to your experience, skills and character ? not as a professional definition.

Questions To Be Prepared For:

There will be some common questions that you will be asked in many of the interviews. I can't stress this enough. There are no wrong or right answers in an interview! Just be honest with the interviewer because you are being evaluated as a role player and not expected to be all things to all people ? it doesn't help anyone to have you playing 3rd base when you are better at 1st. Here are a few examples:

What tools have you used and/or are experienced with?

Don't go beyond what you know and have experience with. If the lab at the school or where you are interning has popular commercial tool you never used and you do things in Python ? don't say you use the commercial tool.

What operating systems do you feel comfortable with?

Like the tools, be able to discuss OS's that you have experience with and your depth of knowledge. You might be interviewing at a place that runs PCI investigations on client systems with Linux and you are a Windows person - this is fine, but it should be discussed early so there are no false expectations.

What languages do you know?

When asked about programming languages, stick to the ones you use often and don't rattle off everything you ever wrote a script with. Most people have a few languages they feel really comfortable in so be specific about them.

Are you willing to travel ? if so how much (20%, 30%, 75% of the time)?

Many forensic jobs will require travel. Know your limitations and how comfortable you are being away from friends, family, pets and home.

How do you keep your skills current/what do you do to keep abreast of industry changes?

Computer forensics is not a passive field and requires you stay up to date with constant changes. Have a plan to keep abreast of technology and industry changes whether it is forums, blogs, social media, meet-ups, conferences, etc. and be prepared to explain.

Tell me about your lab environment at home?

You do not need to have a full rack with 24 processors running, but it is assumed that you have at a minimum a personal laptop with some virtualization support to test theories, scripts and tools.

Where would you like to be in the field 1, 3 and/or 5 years from now?

Questions such as these help both you and the prospective employer get a sense of your career path. Is this just a job you want to use as a jumping off point and plan to leave in two years, or are you looking to develop a career within the organization? Knowing your long-term goals will help you properly assess opportunities and whether the firm you are applying to can support you.

What are your salary expectations?

Money can be an uncomfortable subject with people but it is a necessary topic when compensated for your forensication efforts. "I dunno", "How much you got" or "1 million dollars" with a Dr. Evil impersonation are not acceptable answers. Talk to peers in the field and do some online research for salaries at the level you are applying for to get an idea of the ranges. Be prepared to have this conversation and understand that it can be negotiated.

Questions You Should Ask:

Interviewing is not a one way street. You should approach the situation with confidence and understand that the employer needs you as much, if not more, as you need them. Be prepared to ask questions and feel out the opportunity to make sure you are entering a situation that will meet your needs. Here are a few suggested questions you should ask during your interview:

What will I be responsible for?

How many hours a week are expected from me?

What benefits are included?

How much vacation time will I get? How is it accrued?

Can I meet people I might work with?

Can I see the lab?

What advancement opportunities exist?

How much training is available?

Deep Breath

Interviewing can take time and practice ? you will not likely hit a home run your first at bat. After a few interviews you should start to get the feel for it and be more confident.

Be patient. You may not hear back right away and it can take weeks (if not months) to get through the interview and HR gauntlet at a firm.

Be specific. Know your current goals with the understanding they will change as you grow.

Be concise. Less is more and no one person knows it all.

Don't be afraid to say "no thank you" to a job offer. Don't take a position because you feel you will not have another opportunity. This is an industry where there are more positions than candidates.

Getting into the field of computer forensics is about a lifestyle choice not just about having a job. For many it is also an "off the clock" hobby. It is a passion reflected in how you approach everything else in your day-to-day life as you deconstruct, reverse engineer and hack to gain a deeper understanding of how things work. So take a deep breath and approach the process methodically with clear goals like any other challenge. Appreciate the opportunity to do something you are passionate about ? not everyone is this fortunate.

"Rob has insight that few others have and that alone is worth the cost of the the course."- Chris Spurrier, Xerox Corp

"This course is filling in the blanks in my knowledge of how some things work. It is nice to know what the tools are doing."- Douglas Couch, Purdue University

"A great course on timeline, registry, and restore point forensics. SANS is continuing to be the leader on teaching new techniques happening with forensics."- Brad Garnett, Gibson County Sherrif's Dept.